Lock up your patient names, prescriptions, and biometric data — according to the IBM Cost of a Data Breach Report 2023, the cost of a single healthcare breach in the United States is now close to $11M, increasing by over 53% over the past three years. Close to a quarter (24%) of all reported US cyber events in 2024 so far have been directed towards the healthcare sector, making it the most targeted industry overall.
When healthcare organizations fail to put sufficient safeguarding tools and processes in place to protect Protected Healthcare Information (PHI), internal systems, and devices, the impact can be catastrophic. As well as the cost of a data breach itself, and the erosion of reputation and patient trust — regulators such as HIPAA are coming down hard on businesses that have not performed an adequate risk analysis, or who have failed to adopt the right measures to identify vulnerabilities in their organizations ahead of time.
Why is Healthcare under siege like never before, and what can organizations do to protect themselves and their patient data?
What Makes Healthcare a Prime Target for Cybercrime?
Ultimately, most cybercriminals are looking for the quickest route to a payday, and there are a number of reasons why healthcare is a lucrative target. First up, the high value of the data, creates a high margin potential for the attacker, as a single healthcare data record can be sold for $60 on the Dark Web, compared with just $15 for social security numbers for example. In addition, the high regulatory pressures and the inherent urgency in providing continuous operations and accessing data 24/7 to deliver lifesaving care create a strong motivation for healthcare organizations to pay a ransom or give in to demands. Earlier this year, Change Healthcare paid a $22M ransom to have their PHI returned after a ransomware attack.
Behind the scenes, healthcare has a wide attack surface, with millions of endpoints spread across locations, and an ecosystem of interconnected medical devices, computers, and machines. Often reliant on legacy systems, and tough to modernize due to the criticality of the services, a single unpatched application or vulnerability can become an open door.
Finally, healthcare is also suffering from a growing shortage of security skills and talented personnel, and it has a large user base that may need more security training or identity hygiene. Healthcare staff are skilled in their day-to-day work, but this may be working with specific software, focusing on patient care, or dealing with anything from diagnostics to surgery. Most healthcare professionals are not security experts, and close to 40% of healthcare leaders say their organization is at risk of security threats due to knowledge gaps.
Healthcare Targets in 2024
To understand these factors in practice, let’s look at two high-profile healthcare attacks from this year, and what they tell us about cybercrime in healthcare.
Ransomware against Change Healthcare brings down interconnected systems nationwide
Attacks like Change Healthcare’s ransomware attack prove that even smaller organizations are not safe, as an attack on a larger vendor or supplier can impact interconnected systems and processes. When threat actor ALPHV/BlackCat targeted Change Healthcare, the ripple effect is thought to have impacted 1 in 3 Americans through connected parties such as pharmacies, healthcare providers, and billing companies.
Healthcare is one of the most interconnected industries, with organizations reliant on a complex patchwork of vendors, systems, insurance providers, and third parties. All it takes is a weakness somewhere across the supply chain to impact your business, too. If you think your organization is too small to target, think again.
Ascension attack proves the risks of downloading the wrong file into the network
In June 2024, an employee at an Ascension hospital accidentally downloaded a malicious file, leading to widespread disruption and disclosure of PHI. Ascension has 140 hospitals across 10 States in the U.S., and the attack impacted connected systems including MyChart — used to track patient medications, dosages, and appointments, sending some clinicians back to working on pen and paper, seriously compromising patient care.
Data from the FBI shares that the most frequently reported cybercrime is phishing scams, proving that attackers are relying on human error to gain that all-important initial access to systems. Tools like FraudGPT leverage AI to help attackers build realistic messages which add to the current challenges when victims look to spot AI-generated text in an email or a text message.
How Can Security Awareness Training Reduce Risk in Healthcare?
Shoring up your defenses against the heightened risk in healthcare starts with your own employee security hygiene. As phishing is the top initial access vector for attackers to gain a foothold, steal data, or launch ransomware attacks — reducing your risk profile is a crucial step one.
At CybeReady, we understand that healthcare professionals are busy with their daily routine and workload, and often don’t feel accountable for security or data privacy. Working in lean teams and without time for adequate training, they can easily click on the wrong link or download a malicious attachment unintentionally, and open an entire interconnected network up to risk. Yet as a security leader in a complex healthcare environment, your eyes can’t be everywhere at once.
Our awareness training platform steps in to close those gaps, and provide visibility into the security hygiene of your employees through continuous simulation and Just in Time learning— proven to create behavioral change. We use a positive approach to interact with all employees without jargon, engaging with all employees through bite-sized content that doesn’t take them out of the flow of work, and is customized to meet the unique threats of the healthcare sector.
Behind the scenes, the program runs autonomously with minimal IT effort, providing the peace of mind and the evidence you need to prove that you’re safeguarding data against malicious intent.
Interested in adopting security awareness training for your healthcare organization, to reduce the risk of being the next healthcare attack headline? Schedule a demo to see how it works.